On Mon, Mar 24, 2008, Saurabh Agarwal wrote:
> I understand the security concern, but if squid is accessed by Users
> only within the company and company's intranet is secure enough, then it
> is an overkill as DNS is performed twice(Squid being used in transparent
> mode), once by the browser and then second time by the Squid.
>
> Shouldn't we have this as configurable through squid.conf file, though
> with the disclaimer you wrote earlier. This looks like a good feature to
> have.
>
> Like: Disble DNS lookups by Squid, instead use the DST IP address in the
> intercepted HTTP requested.
> #disable_dns_lookup, hence use Dst IP from the packet
Thats not a bad idea, but the possibility is there to absolutely, positively
blow away not only your clients' feet, but their legs, their torso, their
car/bike, and potentially their neighbours' pet. Its very dangerous.
I'll commit a patch if someone submits one. It has to have a very, very
large warning and it also needs to log something in cache.log to explain
why enabling the option is 100% dangerous.
Please realise that its not only comprimised hosts, its also malicious users.
Adrian
-- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -Received on Mon Mar 24 2008 - 01:34:35 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Apr 01 2008 - 13:00:05 MDT